US20180247089A1 - Program execution device - Google Patents

Abstract

A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Description

BACKGROUND OF THE INVENTIONTechnical Field
• The present invention relates to techniques of protecting programs against unauthorized alteration and analysis.
Background Art
• In recent years, the widespread use of PCs and the Internet makes it possible to copy or edit digital content such as software easily. This being so, tamper-resistant techniques are needed to protect software against unauthorized alteration and analysis.
• Research has long been performed on tamper-resistant techniques. For example, an article “Protecting Software against Inverse Analysis and Falsification” in Nikkei Electronics, Jan. 5, 1998, pp. 209-220 describes basic principles and concrete methods for preventing unauthorized software analysis. Also, an article “Software Tamper-resistant Techniques” in Fuji Xerox Technical Report, No. 13, pp. 20-28 deals with technical problems and measures concerning prevention of unauthorized software analysis.
• Despite this research, more various techniques for protecting programs against malicious users are still needed.
SUMMARY OF THE INVENTION
• In view of the above problem, the present invention aims to provide a program execution device that can execute a program securely by preventing unauthorized alteration and analysis.
• The above aim can be achieved by a program execution device that executes a first secure program which runs in a first security level and a second secure program which runs in a second security level lower than the first security level, including: an execution unit operable to operate by switching between a first mode which is in the first security level and a second mode which is in the second security level; an external device disconnection unit operable to disconnect the execution unit from an external device according to an instruction of the first secure program; and a protection unit operable to protect the second secure program. According to this construction, programs can be protected from both external attacks using hardware and attacks using software. Also, a high level of security can be achieved by disconnecting the external device.
• Here, the program execution device may further include an interrupt detection unit operable to detect an interrupt, wherein the protection unit includes a memory area in which the execution unit writes data when operating according to the second secure program, and when the interrupt detection unit detects an interrupt while the execution unit is operating according to the second secure program, the protection unit encrypts the data written in the memory area, and, after the execution unit finishes processing the interrupt, decrypts the encrypted data in the memory area before the execution unit resumes operating according to the second secure program. According to this construction, the data in the memory area is encrypted before control is transferred from the second secure program to another program. In this way, the data used by the second secure program can be protected from other programs, with it being possible to prevent unauthorized analysis of the second secure program using software. Also, memory usage can be reduced by encrypting only the data in the memory area. This enables a device, e.g. a mobile telephone or a PDA, whose resources such as the CPU processing speed and the memory capacity are limited, to maintain a high level of security.
• Here, the second secure program may include a call instruction for calling the first secure program, wherein the execution unit, according to the call instruction, passes the second tamper detection value, a start address of the at least one part of the second secure program, and a size of the at least one part of the second secure program, to the first secure program.
• Here, before the execution unit executes the call instruction, the protection unit may disable interrupt processing by the execution unit, wherein the execution unit, (a) according to the call instruction, passes an encrypted program key to the first secure program, (b) according to the first secure program, decrypts the encrypted program key received from the second secure program using a master key included in the first secure program, and passes the decrypted program key to the second secure program, if the first tamper detection value and the second tamper detection value are same, and (c) according to the second secure program, decrypts an encrypted part of the second secure program using the decrypted program key received from the first secure program, and then deletes the decrypted program key, and after the execution unit deletes the decrypted program key, the protection unit enables the interrupt processing by the execution unit.
• According to these constructions, no interrupt is accepted until the program key for decrypting the encrypted program is deleted. Thus, the program key is protected from unauthorized analysis which is performed by means of an interrupt, with it being possible to prevent unauthorized analysis of the second secure program.
• Here, the execution unit, according to the first secure program, may perform a hash operation on at least one part of the second secure program using a secret key to calculate a first tamper detection value, compare the first tamper detection value with a second tamper detection value which has been calculated based on the at least one part of the second secure program upon generation of the second secure program, and terminate the operation if the first tamper detection value and the second tamper detection value are different, and continue the operation if the first tamper detection value and the second tamper detection value are same.
• According to this construction, the execution unit terminates the operation if the second secure program is judged as being tampered with. This minimizes damage in the case where the second secure program has been tampered with.
• Also, the second secure program contains a tamper detection value generated based on at least one part of the second secure program. This being so, when the second secure program needs to be changed such as when the second secure program has been tampered with, the change can be made to the second secure program alone without changing other processing means of the program execution device.
BRIEF DESCRIPTION OF DRAWINGS
• FIG. 1 shows an overall construction of a secure processing system to which an embodiment of the present invention relates.
• FIG. 2 is a block diagram showing a construction of a certificate authority device shown inFIG. 1.
• FIG. 3 is a flowchart showing an operation of a compiler shown inFIG. 2.
• FIG. 4 is a block diagram showing a construction of a memory card shown inFIG. 1.
• FIG. 5 is a block diagram showing a construction of a portable terminal shown inFIG. 1.
• FIG. 6 shows programs stored in a memory shown inFIG. 5.
• FIG. 7 shows a data structure of a second secure processing program shown inFIG. 6.
• FIG. 8 shows a data structure of a calling program shown inFIG. 7.
• FIG. 9 is a flowchart showing a procedure of an interrupt handler shown inFIG. 7.
• FIG. 10 shows a data structure of a first secure processing program shown inFIG. 6.
• FIG. 11 shows a data structure of a vector table shown inFIG. 6.
• FIG. 12 is a flowchart showing an operation of a CPU shown inFIG. 5.
• FIG. 13 is a flowchart showing a music data playback procedure.
• FIG. 14 is a flowchart showing the music data playback procedure.
• FIG. 15 is a flowchart showing the music data playback procedure.
• FIG. 16 is a flowchart showing the music data playback procedure.
• FIG. 17 is a flowchart showing the music data playback procedure.
• FIG. 18 is a flowchart showing an authentication procedure.
• FIG. 19 is a flowchart showing an operation of the CPU when an interrupt occurs.
DETAILED DESCRIPTION OF THE INVENTION
• The following describes an embodiment of the present invention in detail, with reference to drawings.
1. Construction of aSecure Processing System1
• FIG. 1 shows an overall construction of asecure processing system1 to which the embodiment of the present invention relates. In the drawing, thesecure processing system1 is roughly made up of acertificate authority device100, aROM writer200, aportable terminal300, and amemory card400.
• Thesecure processing system1 protects a program which is executed in theportable terminal300 from unauthorized analysis and alteration. The program to be protected is generated in thecertificate authority device100 and written to a ROM by theROM writer200. The ROM carrying the program is then installed in theportable terminal300.
• In this embodiment, the program to be protected is an encrypted music data decryption program for decrypting encrypted music data recorded on thememory card400, as one example.
1.1.Certificate Authority Device100
• Thecertificate authority device100 generates a second secure processing program that includes anarea allocation program511, aninterrupt disable program512, acalling program513, akey reception program514, anexecution flag515, aninterrupt handler518, adecryption program516, and a secure program shown inFIG. 7. The secure program includes an encrypted musicdata decryption program524 which needs to be protected. The generated second secure processing program is written on the ROM by theROM writer200 and installed in theportable terminal300. Each of the programs is described in detail later.
• FIG. 2 shows a construction of thecertificate authority device100. In the drawing, thecertificate authority device100 includes acompiler101, aprogram encryption unit102, akey encryption unit103, a hashvalue calculation unit104, adata embedment unit105, astorage unit106, and atransmission unit107.
• Thecertificate authority device100 is actually realized by a computer system that includes a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, and a keyboard. The functions of thecertificate authority device100 are realized by the microprocessor executing a computer program stored on the RAM or the hard disk unit.
(1)Compiler101
• Thecompiler101 receives an input of source code of a protection program, thecalling program513, thedecryption program516, and the secure program. The protection program is made up of thearea allocation program511, the interrupt disableprogram512, thekey reception program514, theexecution flag515, and the interrupthandler518. Thecalling program513 is used for sending data that is needed to detect whether the second secure processing program has been tampered with. Thecalling program513 contains a start address of a TRS area program on a memory of theportable terminal300. The TRS area program corresponds to thedecryption program516 and anencrypted program517 of the second secure processing program. Theencrypted program517 is generated by encrypting the secure program.
• Upon receiving the source code of thecalling program513, thedecryption program516, the secure program, and the protection program, thecompiler101 compiles each of the programs.
• FIG. 3 is a flowchart showing an operation of compiling a program by thecompiler101.
• Thecompiler101 performs lexical analysis (S621) and syntactic analysis (S622). Finally, thecompiler101 generates binary data representing a program that is executable by a computer (S623).
• Thecompiler101 outputs binary data of thecalling program513 and binary data of the protection program to thedata embedment unit105. Thecompiler101 also outputs binary data of thedecryption program516 and binary data of the secure program to theprogram encryption unit102.
(2)Program Encryption Unit102
• Theprogram encryption unit102 receives the binary data of thedecryption program516 and the binary data of the secure program. Theprogram encryption unit102 also receives a program key. Theprogram encryption unit102 encrypts the secure program using the program key according to encryption algorithm E1, to generate theencrypted program517. As one example, encryption algorithm E1 is an AES (Advanced Encryption Standard) algorithm. AES is well known in the art and so its explanation has been omitted here. Algorithms other than AES may also be used as encryption algorithm E1.
• Theprogram encryption unit102 outputs thedecryption program516 and theencrypted program517 to thedata embedment unit105 as the TRS area program.
• Theprogram encryption unit102 also outputs the TRS area program to the hashvalue calculation unit104.
(3)Key Encryption Unit103
• Thekey encryption unit103 receives the program key and a master key.
• Thekey encryption unit103 encrypts the program key using the master key according to encryption algorithm E1, to generate an encrypted key. Thekey encryption unit103 outputs the encrypted key to thedata embedment unit105.
(4) HashValue Calculation Unit104
• The hashvalue calculation unit104 calculates a hash value of at least one part of the second secure processing program.
• In this embodiment, the hashvalue calculation unit104 receives the TRS area program and a secret key, and calculates a hash value of the TRS area program using the secret key according to a hash function.
• For example, an algorithm used for HMAC (Keyed-Hashing for Message Authentication) may be used to calculate the hash value.
• Let H be a hash function, K be a secret key, text be data to be hashed, opad be a character string made up of 64 number of byte values Ox36, and ipad be a character string made up of 64 number of byte values Ox5C. This being the case, an algorithm for calculating a hash value can be expressed as H(K XOR opad, H(K XOR ipad, text)).
• The hashvalue calculation unit104 also calculates a binary size of the TRS area program.
• The hashvalue calculation unit104 outputs the hash value and the binary size to thedata embedment unit105.
(5)Data Embedment Unit105
• Thedata embedment unit105 receives the binary data of thecalling program513 and the binary data of the protection program from thecompiler101, and the hash value and the binary size from the hashvalue calculation unit104. Thedata embedment unit105 also receives the encrypted key from thekey encryption unit103, and the TRS area program from theprogram encryption unit102.
• Thedata embedment unit105 embeds the hash value in thecalling program513 as a tamper detection value. Thedata embedment unit105 also embeds the binary size and the encrypted key in thecalling program513. Thedata embedment unit105 includes the resultingcalling program513 into the protection program, and combines the protection program and the TRS area program to form the second secure processing program. Thedata embedment unit105 writes the second secure processing program to thestorage unit106.
(6)Storage Unit106
• Thestorage unit106 stores the second secure processing program written by thedata embedment unit105.
(7)Transmission Unit107
• Thetransmission unit107 outputs the second secure processing program stored in thestorage unit106, to theROM writer200.
1.2.ROM Writer200
• TheROM writer200 is connected with thecertificate authority device100. TheROM writer200 receives the second secure processing program from thecertificate authority device100, and writes the second secure processing program to the ROM. The ROM on which the second secure processing program is written by theROM writer200 is then installed in theportable terminal300.
1.3.Memory Card400
• FIG. 4 shows a construction of thememory card400. In the drawing, thememory card400 includes acontrol unit401, an input/output unit402, anauthentication unit403, and aninformation storage unit404.
(1) Input/output Unit402
• The input/output unit402 performs transfer of data between thecontrol unit401 and theportable terminal300, when thememory card400 is connected to theportable terminal300.
(2)Information Storage Unit404
• Theinformation storage unit404 has adata area410 and asecure area420.
• Thedata area410 storesencrypted music data411. Theencrypted music data411 is generated by encrypting MP3 music data using atitle key421 according to encryption algorithm E1.
• Thesecure area420 stores thetitle key421. Theportable terminal300 can access thesecure area420 only when it has succeeded in mutual authentication with theauthentication unit403.
• Here, data which is stored in theinformation storage unit404 may be encrypted using information unique to thememory card400.
(3)Authentication Unit403
• Theauthentication unit403 performs mutual authentication with theportable terminal300 based on CPRM (Content Protection for Recordable Media). If the mutual authentication is successful, theauthentication unit403 establishes a shared key with theportable terminal300, and outputs the shared key to thecontrol unit401. CPRM is well known in the art and so its explanation has been omitted here. Methods other than CPRM may also be used for the mutual authentication.
(4)Control Unit401
• Thecontrol unit401 performs transfer of data with theportable terminal300 via the input/output unit402. Thecontrol unit401 permits theportable terminal300 to access the data stored in thesecure area420 only if theportable device300 has succeeded in the mutual authentication with theauthentication unit403. When outputting the data stored in thesecure area420, thecontrol unit401 encrypts the data using the shared key received from theauthentication unit403.
• Meanwhile, thecontrol unit401 permits theportable terminal300 to access the data stored in thedata area410 without the mutual authentication.
1.4.Portable Terminal300
• FIG. 5 shows a construction of theportable terminal300. In the drawing, theportable terminal300 includes aCPU301, adebugger interface302, a debugger disablecircuit303, an interruptcontroller304, amemory305, amemory card interface306, aninput unit307, adisplay unit308, aspeaker309, adecoder310, amicrophone312, aconversion unit313, aradio control unit314, aradio unit315, and anantenna316. These components of theportable terminal303 are connected with abus317. Also, the interruptcontroller304 is connected to theCPU301 by an interruptline318.
• The following describes each of the components of theportable terminal300.
(1) Debugger DisableCircuit303 andDebugger Interface302
• The debugger disablecircuit303 is provided between theCPU301 and thedebugger interface302, to connect/disconnect theCPU301 and thedebugger interface302.
• Upon receiving a debugger control signal indicating “enable” from theCPU301, the debugger disablecircuit303 connects theCPU301 to thedebugger interface302. Upon receiving a debugger control signal indicating “disable” from theCPU301, the debugger disablecircuit303 disconnects theCPU301 from thedebugger interface302.
• When theCPU301 and thedebugger interface302 are connected with each other, an external debugger device connected to thedebugger interface302 is enabled. If theCPU301 and thedebugger interface302 are disconnected from each other, the debugger device is disabled. For example, the debugger disablecircuit303 can be realized by a switch. Here, the connection/disconnection between theCPU301 and thedebugger interface302 maybe made physically by means of a switch circuit or made electrically.
• Thedebugger interface302 is used for connecting theportable terminal300 and the debugger device.
(2)Memory305
• Thememory305 stores a firstsecure processing program501, a secondsecure processing program502, a vector table503, amusic playback program504, and anapplication505, as shown inFIG. 6.
(A) Second SecureProcessing Program502
• The secondsecure processing program502 is generated by thecertificate authority device100 and stored on the ROM by theROM writer200.
• FIG. 7 shows the data structure of the secondsecure processing program502. The following explains each of the programs constituting the secondsecure processing program502.
(Area Allocation Program511)
• Thearea allocation program511 allocates a memory space, in thememory305, for dynamically allocating a memory area that is used when executing theauthentication program523 and the encrypted musicdata decryption program524.
(Interrupt Disable Program512)
• The interrupt disableprogram512 disables (i.e. masks) interrupts.
(Calling Program513)
• Thecalling program513 calls the firstsecure processing program501.
• Thecalling program513 includes tamper detection data that is composed of atamper detection value541, a TRS area startaddress542, abinary size543, and anencrypted key544, as shown inFIG. 8. When calling the firstsecure processing program501, thecalling program513 also passes this tamper detection data embedded by thedata embedment unit105 of thecertificate authority device100, to the firstsecure processing program501.
• Here, thetamper detection value541 is the hash value calculated by the hashvalue calculation unit104 of thecertificate authority device100 for the TRS area program in the secondsecure processing program502.
• The TRS area startaddress542 is the start address of the TRS area program which is subjected to hash value calculation, in thememory305.
• Thebinary size543 is the binary size of the TRS area program.
• Theencrypted key544 is the program key encrypted by thekey encryption unit103 of thecertificate authority device100 using the master key.
(Key Reception Program514)
• Thekey reception program514 receives the program key from the firstsecure processing program501, and passes the program key to thedecryption program516.
(Execution Flag515)
• Theexecution flag515 shows whether the secure program is being executed or not. Immediately before thedecryption program516 decrypts theencrypted program517, theexecution flag515 is set to ON indicating that the secure program is being executed. When the execution of the secure program obtained by decrypting theencrypted program517 completes, theexecution flag515 is set to OFF.
(Decryption Program516)
• Thedecryption program516 receives the program key from thekey reception program514, and decrypts theencrypted program517 using the program key according to decryption algorithm D1 to obtain the secure program. Here, decryption algorithm D1 is an inverse of encryption algorithm E1.
• For example, a technique disclosed in International Patent Application Publication No. WO04/013744 (published on Feb. 12, 2004) maybe used for decrypting theencrypted program517. According to this technique, theencrypted program517 is loaded to a memory and decrypted in units of small portions. This prevents the whole secure program from existing on the memory. Accordingly, even when an unauthorized party accesses data in the memory, it cannot obtain the whole secure program.
(Encrypted Program517)
• Theencrypted program517 is generated by encrypting the secure program. The secure program includes an interrupt enableprogram521, anarea initialization program522, anauthentication program523, the encrypted musicdata decryption program524, anarea key525, anarea encryption program526, anarea decryption program527, and anarea release program528 shown inFIG. 7. In theencrypted program517, the interrupt enableprogram521, thearea initialization program522, theauthentication program523, thearea key525, thearea encryption program526, thearea decryption program527, and thearea release program528 protect the encrypted musicdata decryption program524 from other programs.
(a) InterruptEnable Program521
• The interrupt enableprogram521 releases the disablement of interrupts made by the interrupt disableprogram512.
(b)Area Initialization Program522
• Thearea initialization program522 initializes the memory space allocated by thearea allocation program511, to allocate, in the memory space, a memory area which is subjected to encryption.
• This memory area is allocated to write data that is used during execution of theauthentication program523 and the encrypted musicdata decryption program524.
(c)Authentication Program523
• Theauthentication program523 contains anauthentication key531.
• Theauthentication program523 performs one-way authentication to judge whether the firstsecure processing program501 is valid.
(d) Encrypted MusicData Decryption Program524
• The encrypted musicdata decryption program524 decrypts theencrypted music data411 stored on thememory card400 using thetitle key421 according to decryption algorithm D1, to obtain the music data.
(e)Area Key525
• Thearea key525 is used by thearea encryption program526 to encrypt the data in the memory area allocated by thearea initialization program522, and by thearea decryption program527 to decrypt the encrypted data in the memory area.
(f)Area Encryption Program526
• Thearea encryption program526 encrypts the data in the memory area using thearea key525 according to encryption algorithm E2. Here, encryption algorithm E2 enables faster processing than encryption algorithm E1. As one example, encryption algorithm E2 is an XOR operation. Alternatively, algorithms other than an XOR operation may be used as encryption algorithm E2, which is determined based on the level of security required and the processing capacity of theCPU301.
• Thearea encryption program526 encrypts the data in the memory area, before the secondsecure processing program502 calls the firstsecure processing program501 to transfer control to the firstsecure processing program501.
(g)Area Decryption Program527
• Thearea decryption program527 decrypts the encrypted data in the memory area using thearea key525 according to decryption algorithm D2 to obtain the original plaintext data, when control is returned from the firstsecure processing program501 to the secondsecure processing program502.
(h)Area Release Program528
• Thearea release program528 releases the memory area allocated by thearea initialization program522, and calls an exit function of the firstsecure processing program501 to end a music data playback procedure.
(Interrupt Handler518)
• The interrupthandler518 is executed when an interrupt occurs during execution of the secondsecure processing program502. The interrupthandler518 contains an encryption/decryption key (not illustrated).
• FIG. 9 is a flowchart showing a procedure of the interrupthandler518. Though the interrupthandler518 is actually a computer program,FIG. 9 illustrates the procedure of the interrupthandler518 in flowchart for ease in explanation.
• The interrupthandler518 reads the execution flag515 (S611), and judges whether theexecution flag515 is ON or OFF (S612). If theexecution flag515 is ON (S612 :ON), the interrupthandler518 encrypts the data in the memory area using the encryption/decryption key according to encryption algorithm E2 (S613). After this, the interrupthandler518 processes the interrupt. If theexecution flag515 is OFF (S612:OFF), the interrupthandler518 processes the interrupt without encrypting the data in the memory area.
• After processing the interrupt, if theexecution flag515 is ON (S614: ON), the interrupthandler518 decrypts the encrypted data in the memory area using the encryption/decryption key according to decryption algorithm D2 (S615), before returning to original processing. If theexecution flag515 is OFF (S614:OFF), the interrupthandler518 returns to the original processing without decrypting the data in the memory area.
(B) First SecureProcessing Program501
• FIG. 10 shows a data structure of the firstsecure processing program501. In the drawing, the firstsecure processing program501 includes adisconnection program551, atamper detection program552, akey decryption program553, akey sending program554, anauthentication program555, a data readprogram556, and aconnection program557. The firstsecure processing program501 is executed in a secure processing mode of theCPU301. The secure processing mode is explained in detail later.
(Disconnection Program551)
• Thedisconnection program551 outputs a debugger control signal indicating “disable” to the debugger disablecircuit303, when the firstsecure processing program501 is started.
(Tamper Detection Program552)
• Thetamper detection program552 contains asecret key562, and detects whether the secondsecure processing program502 has been tampered with. To do so, thetamper detection program552 acquires the tamper detection data including thetamper detection value541, the TRS area startaddress542, thebinary size543, and theencrypted key544, from thecalling program513 of the secondsecure processing program502.
• Thetamper detection program552 reads an amount of data corresponding to thebinary size543 from a position on thememory305 specified by the TRS area startaddress542, as the TRS area program. Thetamper detection program552 calculates a hash value of the TRS area program using thesecret key562 according to the hash function. Thetamper detection program552 compares the calculated hash value and thetamper detection value541. I f the two values match, thetamper detection program552 judges that the secondsecure processing program502 has not been tampered with. If the two values do not match, thetamper detection program552 judges that the secondsecure processing program502 has been tampered with, and discontinues subsequent processing.
(Key Decryption Program553)
• Thekey decryption program553 contains amaster key563. If thetamper detection program552 judges that the secondsecure processing program502 has not been tampered with, thekey decryption program553 decrypts theencrypted key544 using themaster key563 according to decryption algorithm D1, to obtain the program key. Thekey decryption program553 passes the program key to thekey sending program554.
(Key Sending Program554)
• Thekey sending program554 receives the program key from thekey decryption program553, and sends the program key to the secondsecure processing program502.
(Authentication Program555)
• Theauthentication program555 contains anauthentication key565, and undergoes the authentication by the secondsecure processing program502 using theauthentication key565. If the authentication is successful, theauthentication program555 establishes a shared session key with the secondsecure processing program502. Data which is subsequently transferred between the firstsecure processing program501 and the secondsecure processing program502 is encrypted using this session key.
(Data Read Program556)
• The data readprogram556 performs the mutual authentication with thememory card400 based on CPRM. If the mutual authentication is successful, the data readprogram556 accesses thesecure area420 of thememory card400 and acquires thetitle key421.
(Connection Program557)
• Theconnection program557 outputs a debugger control signal indicating “enable”, to the debugger disablecircuit303.
(C) Vector Table503
• FIG. 11 shows a data structure of the vector table503. As illustrated, the vector table503 shows addresses of instructions to be executed when a software interrupt, an abort, and a hardware interrupt occur.
(D)Music Playback Program504
• Themusic playback program504 plays back the music data decrypted by the secondsecure processing program502. Themusic playback program504 outputs the music data to abuffer311 in thedecoder310.
(E)Application505
• Theapplication505 receives an input of a user operation. If the user operation is to play back the music data on thememory card400, theapplication505 starts the secondsecure processing program502.
(3)CPU301
• TheCPU301 operates according to the programs stored in thememory305. The operation of theCPU301 is controlled by an instruction issued from the debugger device connected with thedebugger interface302.
• FIG. 12 is a flowchart showing an operation of theCPU301. TheCPU301 fetches an instruction of a program stored in the memory305 (S601), decodes the instruction (S602), and executes it (S603). TheCPU301 then increments a program counter (S604) to fetch the next instruction.
• Here, theCPU301 operates in the secure processing mode or a normal processing mode. In the normal processing mode, theCPU301 performs normal processing. In the secure processing mode, theCPU301 performs processing with a high level of security so that data in thememory305 cannot be accessed from outside.
• TheCPU301 executes the firstsecure processing program501 in the secure processing mode, and the secondsecure processing program502 in the normal processing mode.
• When an interrupt occurs, the interruptcontroller304 outputs an interrupt signal via the interruptline318. If interrupts are disabled by the interrupt disableprogram512, theCPU301 refuses the interrupt signal. If interrupts are not disabled, theCPU301 accepts the interrupt signal, refers to the vector table503 shown inFIG. 11, and reads an address corresponding to the interrupt signal. TheCPU301 processes an interrupt according to an interrupt handler at the read address. Having processed the interrupt, theCPU301 returns to original processing.
• When receiving an interrupt signal during execution of the secondsecure processing program502, theCPU301 refers to the vector table503 and executes the interrupthandler518 shown inFIG. 9.
(4)Input Unit307
• Theinput unit307 receives an input of a user operation.
• Upon receiving the input, theinput unit307 notifies the interruptcontroller304 of an interrupt.
(5) InterruptController304
• The interruptcontroller304 outputs an interrupt signal to theCPU301 via the interruptline318, when theinput unit307 or theradio control unit314 notifies the interruptcontroller304 of an interrupt such as a mail reception, a call reception, or a user operation.
(6)Speaker309 andDecoder310
• Thedecoder310 includes thebuffer311. Thebuffer311 buffers music data received from theCPU301. Thespeaker309 generates an audio signal from the music data in thebuffer311, and outputs the audio signal.
(7)Memory Card Interface306
• Thememory card interface306 is used to connect theportable terminal300 and thememory card400. Thememory card interface306 outputs data to thememory card400, and receives data from thememory card400 and outputs it to theCPU301, under control of theCPU301.
(8)Radio Control Unit314,Radio Unit315, andAntenna316
• Theantenna316, theradio unit315, and theradio control unit314 send/receive a sound or information with a device to which theportable terminal300 is connected via a radio base station and a portable terminal network.
• When receiving a mail or a call via theantenna316 and theradio unit315, theradio control unit314 notifies the interruptcontroller304 of an interrupt.
(9)Microphone312 andConversion Unit313
• Theconversion unit313 converts a sound received from themicrophone312 to an electrical signal, and outputs it to theradio control unit314.
2. Operation of theSecure Processing System12.1. Operation of theCertificate Authority Device100
• Thecompiler101 receives an input of source code of thecalling program513 and source code of the protection program, and compiles the source code to binary data of thecalling program513 and binary data of the protection program. Thecompiler101 outputs the binary data to thedata embedment unit105. Thecompiler101 also receives an input of source code of thedecryption program516 and source code of the secure program, and compiles the source code to binary data of thedecryption program516 and binary data of the secure program. Thecompiler101 outputs the binary data to theprogram encryption unit102.
• Theprogram encryption unit102 receives the binary data of thedecryption program516 and the binary data of the secure program. Theprogram encryption unit102 also receives the program key. Theprogram encryption unit102 encrypts the secure program using the program key, to generate theencrypted program517. Theprogram encryption unit102 outputs thedecryption program516 and theencrypted program517 to thedata embedment unit105 and the hashvalue calculation unit104, as the TRS area program.
• The hashvalue calculation unit104 receives the TRS area program. The hashvalue calculation unit104 also receives the secret key. The hashvalue calculation unit104 calculates a hash value of the TRS area program using the secret key according to the hash function. The hashvalue calculation unit104 also calculates the binary size of the TRS area program. The hashvalue calculation unit104 outputs the hash value and the binary size to thedata embedment unit105.
• Thekey encryption unit103 receives the program key and the master key, and encrypts the program key using the master key to generate the encrypted key. Thekey encryption unit103 outputs the encrypted key to thedata embedment unit105.
• Thedata embedment unit105 receives the binary data of thecalling program513 from thecompiler101, the hash value and the binary size from the hashvalue calculation unit104, and the encrypted key from thekey encryption unit103. Thedata embedment unit105 embeds the hash value in thecalling program513 as thetamper detection value541. Thedata embedment unit105 also embeds the binary size and the encrypted key in thecalling program513 as thebinary size543 and theencrypted key544. Thedata embedment unit105 further receives the binary data of the protection program from thecompiler101, and the TRS area program from theprogram encryption unit102. Thedata embedment unit105 includes thecalling program513 in the protection program, and combines the protection program and the TRS area program to form the secondsecure processing program502. Thedata embedment unit105 writes the secondsecure processing program502 to thestorage unit106.
• Thetransmission unit107 reads the secondsecure processing program502 from thestorage unit106, and outputs the secondsecure processing program502 to theROM writer200.
2.2. Music Data Playback Operation of the Portable Terminal300(1) Playback
• An operation of playing back the music data recorded on thememory card400 by theportable terminal300 through execution of programs is explained below, with reference toFIGS. 13 to 17.
• Upon receiving an input of a user operation to play back the music data on thememory card400 via theinput unit307, theapplication505 starts the second secure processing program502 (S701).
• In the secondsecure processing program502, thearea allocation program511 allocates a virtual memory space for dynamically allocating a memory area during execution of the secure program, in the memory305 (S702). Also, the interrupt disableprogram512 disables interrupts (S703). In this way, unauthorized program analysis and alteration using interrupts are prohibited. The disablement of interrupts is valid until an interrupt enable. Next, thecalling program513 calls the firstsecure processing program501, and passes the tamper detection data made up of thetamper detection value541, the TRS area startaddress542, thebinary size543, and theencrypted key544 to the first secure processing program501 (S704).
• The firstsecure processing program501 receives the tamper detection data from the second secure processing program502 (S705). In the firstsecure processing program501, thedisconnection program551 outputs a debugger control signal indicating “disable” to the debugger disable circuit303 (S706). As a result, the debugger disablecircuit303 disconnects the debugger device. In this way, unauthorized program analysis and alteration using the debugger device are prohibited.
• Next, thetamper detection program552 performs the following procedure.
• Thetamper detection program552 reads an amount of data corresponding to thebinary size543 from a position on thememory305 specified by the TRS area startaddress542, as the TRS area program. Thetamper detection program552 calculates a hash value of the TRS area program using the secret key562 (S709).
• Thetamper detection program552 compares the calculated hash value with the tamper detection value541 (S710). If the two values do not match (S710: NO), thetamper detection program552 judges that the secondsecure processing program502 has been tampered with, and discontinues subsequent processing. Theconnection program557 outputs a debugger control signal indicating “enable” to the debugger disable circuit303 (S737), and terminates the operation.
• If the two values match (S710:YES), thetamper detection program552 judges that the secondsecure processing program502 has not been tampered with. Accordingly, thekey decryption program553 decrypts theencrypted key544 using themaster key563, to obtain the program key (S711). Thekey decryption program553 passes the program key to thekey sending program554. Thekey sending program554 passes the program key to the second secure processing program502 (S712).
• In the secondsecure processing program502, thekey reception program514 receives the program key (S713). Also, theexecution flag515 is set to ON (S714). After this, thedecryption program516 decrypts theencrypted program517 using the program key, to obtain the secure program (S715). Having done so, thedecryption program516 deletes the program key (S716).
• The secure program performs the following procedure (S717).
• In the secure program, the interrupt enableprogram521 releases the disablement of interrupts made in step S703 (S718). Subsequently, if an interrupt occurs, the secure program is suspended to process the interrupt. A procedure to be performed when an interrupt occurs is explained in detail later.
• Next, thearea initialization program522 allocates a memory area in which data used by theauthentication program523 and the encrypted musicdata decryption program524 is to be stored, in the memory space (S719).
• Theauthentication program523 authenticates the firstsecure processing program501 according to an authentication procedure (described later) (S720). Theauthentication program555 in the firstsecure processing program501 undergoes the authentication by theauthentication program523. If the authentication has failed, the secondsecure processing program502 discontinues subsequent processing, and theconnection program557 in the firstsecure processing program501 outputs a debugger control signal indicating “enable” to the debugger disable circuit303 (S737) before terminating the operation.
• If the authentication has succeeded, the secondsecure processing program502 and the firstsecure processing program501 establish a shared session key. Data which is subsequently transferred between the secondsecure processing program502 and the firstsecure processing program501 is encrypted using this session key.
• If the authentication has succeeded, the secondsecure processing program502 transfers control to themusic playback program504.
• Themusic playback program504 reads theencrypted music data411 from the memory card400 (S721). Themusic playback program504 also requests the secondsecure processing program502 to decrypt the encrypted music data411 (S722).
• Upon receiving the request to decrypt theencrypted music data411, the secondsecure processing program502 calls thearea encryption program526. Thearea encryption program526 encrypts the data in the memory area allocated in step S719, using the area key525 (S723). After this, the secondsecure processing program502 requests the firstsecure processing program501 to acquire the title key421 (S724).
• In the firstsecure processing program501, the data readprogram556 performs mutual authentication with theauthentication unit403 in the memory card400 (S725). If the mutual authentication has succeeded (S726:YES), the data readprogram556 accesses thesecure area420 in thememory card400 and acquires the title key421 (S727). If the mutual authentication has failed, the data readprogram556 cannot acquire thetitle key421. In this case, theconnection program557 outputs a debugger control signal indicating “enable” to the debugger disable circuit303 (S737), before terminating the operation.
• The firstsecure processing program501 encrypts thetitle key421 using the session key, to generate an encrypted title key (S728). The firstsecure processing program501 passes the encrypted title key to the secondsecure processing program502.
• In the secondsecure processing program502, thearea decryption program527 decrypts the encrypted data in the memory area using thearea key525, to recover the original data (S729). Theauthentication program523 decrypts the encrypted title key using the session key, to obtain the title key421 (S730). Following this, the encrypted musicdata decryption program524 decrypts theencrypted music data411 read from thememory card400 by themusic playback program504, using the title key421 (S731). As a result, the music data is obtained. The encrypted musicdata decryption program524 passes the music data to themusic playback program504.
• Themusic playback program504 plays back the music data (S732).
• Once the playback of the music data has completed (S733), themusic playback program504 transfers control to the secondsecure processing program502. In the secondsecure processing program502, thearea release program528 releases the memory area allocated in step5719 (S734), and calls an exit function of the first secure processing program501 (S735). Also, theexecution flag515 is set to OFF (S736).
• In the firstsecure processing program501, theconnection program557 outputs a debugger control signal indicating “enable” to the debugger disable circuit303 (S737), before terminating the operation.
(2) Authentication
• The procedure of authenticating the firstsecure processing program501 by the secondsecure processing program502 in step5720 is explained below, with reference toFIG. 18.
• The secondsecure processing program502 generates random number R0 and passes random number R0 to the first secure processing program501 (S751).
• The firstsecure processing program501 receives random number R0, and encrypts random number R0 using theauthentication key565 to generate authentication value R1 (S752). The firstsecure processing program501 passes authentication value R1 to the second secure processing program502 (S753).
• The secondsecure processing program502 receives authentication value R1 from the firstsecure processing program501. The secondsecure processing program502 encrypts random number R0 using theauthentication key531, to generate authentication value R2 (S754). The secondsecure processing program502 compares authentication value R1 with authentication value R2 (S755). If the two values do not match (S755:NO), the secondsecure processing program502 passes a judgment result indicating “mismatch” to the first secure processing program501 (S756), and terminates the procedure. If the two value match (S755: YES), the secondsecure processing program502 passes a judgment result indicating “match” to the first secure processing program501 (S757). The secondsecure processing program502 then generates the session key from random number R0 andauthentication key531 using a one-way function (S759).
• If the received judgment result indicates “mismatch” (S758:NO), the firstsecure processing program501 terminates the procedure. If the received judgment result indicates “match” (S758:YES), the firstsecure processing program501 generates the session key from random number R0 andauthentication key565 using the one-way function (S760).
• Thus, the secondsecure processing program502 authenticates the firstsecure processing program501, and shares the session key if the authentication is successful. Data which is subsequently transferred between the firstsecure processing program501 and the secondsecure processing program502 is encrypted using this session key.
(3) Interrupt
• The operation of theCPU301 when an interrupt occurs during execution of the secondsecure processing program502 is explained below, with reference toFIG. 19. Here, the interrupt is a mail reception as one example.
• Upon receiving an interrupt signal from the interrupt controller304 (S771), theCPU301 reads the vector table503 (S772), and executes the interrupthandler518 according to the vector table503 (S773).
• First, theCPU301 reads the execution flag515 (S774). If theexecution flag515 is ON (S775:0N), theCPU301 encrypts the data in the memory area using the encryption/decryption key (S776). TheCPU301 also saves a context (S777), and performs a mail reception process (S778). If theexecution flag515 is OFF (S775:OFF), theCPU301 performs steps S777 and S778 without encrypting the data in the memory area.
• After the mail reception process, if theexecution flag515 is ON (S779: ON), theCPU301 decrypts the data in the memory area (S780), before returning to original processing. If theexecution flag515 is OFF (S779:OFF), theCPU301 returns to the original processing without decrypting the data in the memory area.
3. Modifications
• The present invention has been described by way of the above embodiment, though it should be obvious that the present invention is not limited to the above. Example modifications are given below.
• (1) The above embodiment describes an example of protecting an encrypted music data decryption program which is executed by a portable terminal, though the present invention is not limited to such.
• Example devices which execute a program to be protected include a DVD player, a DVD recorder, a PC, and a PDA.
• Also, example programs to be protected include a decryption program used when playing back video content or a game on a portable terminal, and a recording program used when recording content on a DVD recorder. Thus, the present invention is applicable to any program that need be protected against unauthorized analysis and alteration.
• (2) The above embodiment describes the case where a hash value is used as the tamper detection value, though any value that is unique to the TRS area program can be used as the tamper detection value. For instance, a digital signature for the TRS area program or data generated by encrypting the TRS area program may be used as the tamper detection value. Also, algorithms other than the one used in the embodiment may be employed to calculate the hash value.
• The above embodiment describes the case where the tamper detection value is generated for the TRS area program, but the tamper detection value may instead be generated for at least one part of the TRS area program. Alternatively, the tamper detection value may be generated for at least one part of the second secure processing program.
• Also, the tamper detection may be carried out by performing matching for at least one part of the TRS area program or the second secure processing program, or by embedding a psuedo-random number in at least one part of the TRS area program or the second secure processing program. In other words, any tamper detection method that can detect whether a program has been tampered with is applicable.
• The above embodiment describes the case where the tamper detection is performed after the debugger disable circuit disconnects the debugger device. As an alternative, the tamper detection may be performed before the disconnection by the debugger disable circuit. In such a case, if no tampering is detected, the debugger disable circuit disconnects the debugger device to proceed to subsequent processing.
• (3) The above embodiment describes the case where the calling program in the second secure processing program passes the tamper detection data to the first secure processing program. As an alternative, a program other than the second secure processing program may pass the tamper detection data to the first secure processing program. In this case, the calling program in the second secure processing program only calls the first secure processing program. Meanwhile, a sending program for sending the tamper detection data to the first secure processing program is stored in thememory305. This being so, upon being called by the second secure processing program, the first secure processing program requests the sending program to send the tamper detection data. The sending program responsively sends the tamper detection data to the first secure processing program.
• In such a case, the certificate authority device does not include this sending program in the protection program of the second secure processing program, but generates it separately from the second secure processing program.
• Also, the first secure processing program may contain the tamper detection data of the second secure processing program beforehand.
• (4) The above embodiment describes the case where the second secure processing program performs one-way authentication on the first secure processing program, but the second secure processing program and the first secure processing program may perform two-way authentication. Also, the above embodiment describes the use of a challenge-response authentication method, though other authentication methods for authenticating a program can equally be used.
• The above embodiment describes the case where authentication values R1 and R2 are generated by encrypting random number R0 using the authentication key, but they may instead be generated by applying a one-way function to random number R0.
• The above embodiment describes the case where the session key is generated from random number R0 and the authentication key using a one-way function, though the session key may instead be generated by encryption.
• (5) The above embodiment describes the case where the area encryption program encrypts the data in the memory area before control is transferred from the second secure processing program to the first secure processing program. The area encryption program may also encrypt the data in the memory area to protect the data, when control is transferred from the second secure processing program to another program such as when the second secure processing program calls an external function.
• In such a case, when control is returned to the second secure processing program, the area decryption program decrypts the encrypted data in the memory area to recover the original data.
• (6) A unique master key may be assigned to each device which executes a program to be protected. In this case, even if an unauthorized user steals a master key of one device and attempts to attack other devices using the master key, the unauthorized user cannot operate the other devices properly. This minimizes damage caused by unauthorized acts.
• (7) The above embodiment describes the case where the first secure processing program and the second secure processing program each contain the authentication key. Alternatively, the authentication key may be calculated based on the program key or the tamper detection value.
• Also, the certificate authority device may encrypt the authentication key using the master key. In this case, the program key for decrypting the encrypted program can be calculated based on the authentication key.
• When the key used for authentication and the key used for decryption of the encrypted program have a dependency relationship in this way, any of the keys may be encrypted. Further, multiple encryption stages may be performed using a greater number of keys, such as by encrypting the encrypted key using another key.
• (8) The present invention also applies to the method described above. This method may be realized by a computer program that is executed by a computer. Such a computer program may be distributed as a digital signal.
• The present invention may be realized by a computer-readable storage medium, such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, a BD, or a semiconductor memory, on which the computer program or digital signal mentioned above is recorded. Conversely, the present invention may also be realized by the computer program or digital signal that is recorded on such a storage medium.
• The computer program or digital signal that achieves the present invention may also be transmitted via a network, such as an electronic communications network, a wired or wireless communications network, or the Internet.
• The present invention can also be realized by a computer system that includes a microprocessor and a memory. In this case, the computer program can be stored in the memory, with the microprocessor operating in accordance with this computer program.
• The computer program or digital signal may be provided to an independent computer system by distributing a storage medium on which the computer program or digital signal is recorded, or by transmitting the computer program or digital signal via a network. The independent computer system may then execute the computer program or digital signal to function as the present invention.
• (8) The above embodiment and modifications may be freely combined.
• The present invention can be used recurrently and continuously in software industries which provide software such as computer programs and digital content of movies, music, and the like. Also, the present invention can be manufactured and sold in manufacturing industries of electrical products and the like.

Claims (21)

1. An information processing device comprising:

a processor configured to 1) execute a first program component for operating in a secure processing mode and performing tamper detection, and 2) execute a second program component for operating in a normal processing mode and performing a task; and

a hardware memory configured to store at least the second program component,

wherein the processor is configured to execute the first program component for determining whether at least part of the second program component is tampered with, by using a tamper detection value and while operating in the secure processing mode, and

the first program component operated in the secure processing mode cannot be accessed from the second program component operated in the normal processing mode.

2. The information processing device regarding to theclaim 1,

wherein the tamper detection value is a first hash value.

3. The information processing device regarding to theclaim 2,

wherein the first hash value is calculated prior to executing the second program component.

4. The information processing device regarding to theclaim 2,

wherein the processor is configured to execute the first program component for determining whether at least part of the second program component is tampered with, by comparing the first hash value and a second hash value which is calculated after the calculation of the first hash value.

5. The information processing device regarding to theclaim 1,

wherein the secure processing mode is a higher security level than the normal processing mode

6. The information processing device regarding to theclaim 1,

wherein the processor is configured to execute the second program component after the second program component receives a Key for decryption from the first program component.

7. The information processing device regarding to theclaim 6,

wherein the second program component receives the Key from the first component after the processor determines whether at least part of the second program component is tampered with.

8. A portable terminal comprising:

a processor configured to 1) execute a first program component for operating in a secure processing mode and performing tamper detection, and 2) execute a second program component for operating in a normal processing mode and performing a task; and

a hardware memory configured to store at least the second program component,

wherein the processor is configured to execute the first program component for determining whether at least part of the second program component is tampered with, by using a tamper detection value and while operating in the secure processing mode, and

the first program component operated in the secure processing mode cannot be accessed from the second program component operated in the normal processing mode.

9. The portable terminal regarding to theclaim 8,

wherein the tamper detection value is a first hash value.

10. The portable terminal device regarding to theclaim 9,

wherein the first hash value is calculated prior to executing the second program component.

11. The portable terminal device regarding to theclaim 9,

wherein the processor is configured to execute the first program component for determining whether at least part of the second program component is tampered with, by comparing the first hash value and a second hash value which is calculated after the calculation of the first hash value.

12. The portable terminal device regarding to theclaim 8,

wherein the secure processing mode is a higher security level than the normal processing mode.

13. The portable terminal device regarding to theclaim 8,

wherein the processor is configured to execute the second program component after the second program component receives a Key for decryption from the first program component.

14. The portable terminal device regarding to theclaim 13,

wherein the second program component receives the Key from the first component after the processor determines whether at least part of the second program component is tampered with.

15. A method for operating a portable terminal having a processor executing 1) a first program component for operating in a secure processing mode and performing tamper detection, and 2) a second program component for operating in a normal processing mode and performing a task, and a hardware memory storing at least the second program component, the method comprising:

executing the first program component by the processor for determining whether at least part of the second program component is tampered with, by using a tamper detection value and while operating in the secure processing mode; and

executing the second program component by the processor after the processor determines the second program component is not tampered,

wherein the first program component operated in the secure processing mode cannot be accessed from the second program component operated in the normal processing mode.

16. The method regarding to theclaim 15,

wherein the tamper detection value is a first hash value.

17. The method regarding to theclaim 16,

wherein the first hash value is calculated prior to executing the second program component.

18. The method regarding to theclaim 16,

wherein the processor is configured to execute the first program component for determining whether at least part of the second program component is tampered with, by comparing the first hash value and a second hash value which is calculated after the calculation of the first hash value.

19. The method regarding to theclaim 15,

wherein the secure processing mode is a higher security level than the normal processing mode.

20. The method regarding to theclaim 15,

wherein the processor is configured to execute the second program component after the second program component receives a Key for decryption from the first program component.

21. The method regarding to theclaim 19,

wherein the second program component receives the Key from the first component after the processor determines whether at least part of the second program component is tampered with.

Images